172URPF configurationURPF overviewWhat is URPFUnicast Reverse Path Forwarding (URPF) protects a network against source address spoofingattacks.Attackers launch attacks by creating a series of packets with forged source addresses. Forapplications using IP-address-based authentication, this type of attacks allows unauthorized usersto access the system in the name of authorized users, or even access the system as theadministrator. Even if the attackers cannot receive any response packets, the attacks are stilldisruptive to the attacked target.Figure 61 Attack based on source address spoofingSwitch A originates a request to the server (Switch B) by sending a packet with a forged source IPaddress of 2.2.2.1/8, and Switch B sends a packet to Switch C at 2.2.2.1/8 in response to therequest. Consequently, both Switch B and Switch C are attacked. See Figure 59.URPF can prevent source address spoofing attacks.How URPF worksURPF works as follows:1. If the source IP address of an incoming packet is found in the FIB table:URPF does a reverse route lookup for routes to the source address of the packet. If at least oneoutgoing interface of such a route matches the receiving interface, the packet passes the check.Otherwise, the packet is rejected. The reverse route lookup refers to searching the outgoinginterface whose destination IP address is the source IP address of the packet.